Using a VMware Network Infrastructure to Collect Traffic Traces for - - PDF document

using a vmware network infrastructure to collect traffic
SMART_READER_LITE
LIVE PREVIEW

Using a VMware Network Infrastructure to Collect Traffic Traces for - - PDF document

Mar 13, 2024 311 likes •413 views

Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation by Frederic Massicotte, Mathieu Couture and Annie De Montigny Leboeuf http://www.crc.ca/networksystems_security/ {frederic.massicotte,

slide-1
SLIDE 1

1

Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation

by

Frederic Massicotte, Mathieu Couture and Annie De Montigny Leboeuf http://www.crc.ca/networksystems_security/ {frederic.massicotte, networksystems-security}@crc.ca

slide-2
SLIDE 2

2

Network Infrastructure for Automatic Traffic Collection

  • Requirements

– Recording of all traffic – Network traffic noise control – Control of attack propagation – Usage of real and heterogeneous system configurations – Fast recovery to initial conditions

  • Solution

– We develop a controlled virtual network using VMware

Many research, including those on IDS, do require testing and evaluation. This work proposes an automated approach to develop large data sets of attack traces Our infrastructure had to fulfill the following requirements : Record traffic, to allow post analysis; Control noise, everything in the trace is known and relevant to the experiment; Control of attack propagation, confine attacks to prevent infection propagation; Realistic targets and a great variety of them; Fast recovery to initial conditions (prior to attack), to reproduce experiment under the same conditions. We chose to build a virtualized environment in which a great variety of systems can be tested in an automated fashion. VMware offers a lot of functionalities “out of the box”: reverting machines to a given state, cloning, and support for many OS families. We have installed over 200 OS versions among the most popular families (FreeBSD, OpenBSD, NetBSD, Linux, Windows).

slide-3
SLIDE 3

3

Script Descriptions Target System Configurations Coordinators Scenario Scripts Virtual Machine Templates

Virtual Network Infrastructure

Target Stimulus Supporting network components

A core component is the coordinator, it has access to a database containing the description of the scenarios, it can pull specific scenario scripts. From these scripts, the coordinator chose which targets and attackers are required along with other network components, if needed, to support the communications (e.g. DNS, router). It sets up the virtual network, and give orders to the attackers, it collects the traffic and labels the traces according to the scenario specification. And finally the coordinator tears down the network and reset the virtual machines back to their

  • riginal states.
slide-4
SLIDE 4

4

Examples of Application

  • Passive Operating System Fingerprinting Data Set

– Captured over 200 operating system behaviours (with an older version of the virtual network infrastructure)

  • Fragmentation Impact Assessment Data Set

– Captured over 90 packet fragmentation behaviours of operating system using Fragroute (fragmentation overlapping and reassembly timeout).

  • Intrusion Detection Evaluation Data Set

– 2343 traffic traces (now over 6000) – 26 operating system versions (now over 85) – 92 vulnerability exploitation programs (now over 95)

slide-5
SLIDE 5

5

Intrusion Detection Data Set

  • Objectives

– Automatically execute and test vulnerability exploitation programs

  • Use this data set against IDS
  • Look for false positive and false negative problems
  • Produce a data set of exploit traffic traces (freely

available)

slide-6
SLIDE 6

6

Intrusion Detection Data Set Classification and Labelling

  • Automatic classification of attack outcomes
  • Attack are launched against vulnerable and non-vulnerable
  • perating systems

– To identify IDS accuracy for unsuccessful attacks (false positive)

Operating System Family Operating System Versions Scenario instances Vulnerable/ Not Vulnerable Success/ failure/ unclassified FreeBSD 7 270 73/197 4/27/239 Linux 6 436 79/357 10/77/349 Windows 13 1637 948/689 166/729/740

Classification and labeling: to be useful, it was felt that the traces had to be properly named (or labeled). The traffic is separated into multiple traces. Each trace contains the traffic associated to an attack towards one target. The name of each traffic trace gives the exploit program used, the target OS description, whether the target was vulnerable or not to the attack, and whether the attack was successful or not. For the data set of traffic trace currently available, it was decided that for each exploit program, all targets running a service on the port targeted by the exploit would be attacked, whether the targets were running a vulnerable version of the service or not. When determining whether the attack was successful or not, some cases were difficult to classify automatically (without human intervention). Efforts are currently being made to find ways to better discriminate between success and failure automatically.

slide-7
SLIDE 7

7

Intrusion Detection Data Set Exploit Distribution

3 6 1 2 3 34 13 2 1 12 2 8 1 1 1 5 10 15 20 25 30 35 40 ip tcp tcp tcp tcp tcp tcp udp udp tcp tcp tcp tcp tcp tcp 2 21 23 25 42 80 135 135 137 139 443 445 901 33725000 OpenBSD 5% NetBSD 5% Linux 35% FreeBSD 12% Windows 43%

On top of having all traffic traces labeled, some basic statistics can be extracted from the database to further document the dataset.

slide-8
SLIDE 8

8

Questions ???

Contact Information : Frederic Massicotte http://www.crc.ca/networksystems_security/

{frederic.massicotte, networksystems-security}@crc.ca